[WIP] Rootless bridge: preserve source IPs via pesto/pasta

[Honny1]

Require passta version: tbd

Local Passt Setup

# Build pasta with pesto support
git clone git://passt.top/passt && cd passt
git checkout bc872d91765d
b4 shazam https://archives.passt.top/passt-dev/20260323073732.3158468-1-david@gibson.dropbear.id.au/
make && sudo make install

TODO:

• Vendor container libs
• Rebase after removal of slirp
• Documentation
• Deal with the strict pasta version question. Should the option for rootlessport exist, or can it be dropped fully?
• Remove cmd/rootlessport/ binary and pkg/rootlessport/ package (now dead code for bridge networking)
• Do changes in Netavark: https://github.com/containers/podman/pull/28478/changes#diff-86ff1299acfb5c565b41efff66d19b8c6920cdaa724fa11942d40c59ed94905aR80

Replace rootlessport with pesto for rootless bridge network port forwarding, preserving source IPs.

I did the replacement since the target is 6.0, and I didn't bother providing both ways. But probably it should be part of dissuasion.

Problem

When running rootless containers on a bridge network (podman run -p 8080:80 --network mynet), the old rootlessport userspace TCP/UDP proxy destroyed source IP information. Every connection appeared to come from 127.0.0.1 inside the container, regardless of the actual client IP.

Solution

Pesto is a client tool for passta that dynamically updates port forwarding rules via a UNIX domain socket. Instead of proxying traffic in userspace (which loses source IPs), pesto configures pasta to forward at the kernel level using splice (localhost) or TAP (external traffic), preserving the original source IP.

How it works

Host -> pasta (splice/TAP) -> rootless netns -> netavark bridge DNAT -> container

1. A shared pasta instance runs in the rootless network namespace with a control socket (-c pasta.sock)
2. On container start: netavark sets up the bridge + nftables DNAT rules, then pesto replaces pasta's entire forwarding table with the aggregate ports of all running bridge containers
3. On container stop: pesto updates the table without the stopped container's ports, then netavark tears down bridge/DNAT
4. On network connect/disconnect/reload: pesto replaces the table to reflect the new state

Key implementation details:

• portMappingsForNetavark() strips HostIP from port mappings before passing them to netavark in rootless mode. Pesto handles host-side address binding via pasta; netavark's DNAT rules inside the rootless netns must not restrict on destination address since pasta's splice delivers traffic with a different address than the user-specified HostIP
• ensureLoopbackSetmark() inserts an nftables rule so localhost-originated traffic (src 127.0.0.0/8) is properly masqueraded through the bridge, required because pasta's splice path delivers packets with loopback source addresses
• route_localnet=1 sysctl is set once per rootless netns lifetime so the kernel allows routing of 127.x.x.x-sourced packets to non-loopback interfaces

Current limitations

• IPv4 only (netavark DNAT is IPv4; pesto binds 0.0.0.0 by default)
• Full table replacement per change (brief forwarding gap, possible races with many containers)
• Loopback SETMARK rule directly manipulates netavark's nftables chains
• gatherAllRootlessBridgePorts reads all containers from DB without locks

Fixes: https://redhat.atlassian.net/browse/RUN-2214
Fixes: #8193
Fixes: https://redhat.atlassian.net/browse/RUN-3587

Depends on: passta version tbd
Depends on: containers/container-libs#755
Depends on: #27828
Depends on: #28451

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

Rootless bridge network port forwarding now preserves source IPs. Previously, all connections appeared from 127.0.0.1 inside the container due to rootlessport's userspace proxy. Podman now uses pesto to configure pasta's kernel-level forwarding, so containers see the real client IP address.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[Honny1]

Question for reviewers: Should the option for rootlessport exist, or can it be dropped fully?